Twitter looks to add two-factor authentication to stop password hacks

In light of 250,000 accounts exposed, Twitter seeks to put an end to password hacks.

Twitter is looking to add another layer of protection to its user authentication. After at least 250,000 account passwords were compromised in an attack against its service last week, Twitter apparently plans to implement two-factor authentication as an option to help users better protect their accounts—or at least it's hiring people to help do that.

In a job listing posted by Twitter this week, the company seeks software engineers to develop "user-facing security features, such as multifactor authentication and fraudulent login detection." When contacted by Ars, a representative for Twitter said the company has no specific details to share about its plans at this time.

Those measures protect users' passwords and sessions from being directly intercepted and taken over in most cases. But they don't guard against "man-in-the-middle" attacks, where a malicious access point or firewall using an SSL proxy intercepts encrypted Web traffic. Hackers have grabbed users' Twitter credentials in the past through malicious webpages using cross-site scripting, e-mail "phishing" attacks, and other means. Last August, for example, the Reuters news service had its Twitter feed taken over by pro-Syrian hackers who pulled the Twitter password from the service's blogging platform.

Two-factor schemes are helpful for preventing password hacking through many of these means, and these can prevent account hacks in cases where passwords themselves are compromised—like the case of last week's Twitter breach. Currently, Google and Microsoft have forms of two-factor authentication for their services, using text messages sent to a "trusted" mobile device to confirm logins from previously unknown devices or IP addresses. Google also allows for users to print out "one-use" codes to carry with them to authenticate themselves at new locations or devices without a phone.

But two-factor authentication isn't a cure-all for user security. For example, in the case of Wired's Mat Honan, attackers were able to use information available publicly to convince Apple they were Honan so they could "recover" his account and reset his AppleID passwords. Hackers gained access to his Twitter accounts and Gizmodo's Twitter account in the process. Account recovery allows users to use an e-mail address to reset their account information if they have lost or forgotten their password, but it also allowed the hackers to gain access to Honan's Gmail account, as his alternate account was his Apple e-mail address.

22 Reader Comments

In a job listing posted by Twitter this week, the company seeks software engineers to develop "user-facing security features, such as multifactor authentication and fraudulent login detection." When contacted by Ars, a representative for Twitter said the company has no specific details to share about its plans at this time.

If Ars gets the chance to find out more details, it'd be interesting to learn what form of two factor Twitter is considering. A pseudo-OTP system like the examples of Google and Microsoft seems the most likely, but it'd be exciting if they were considering other possibilities.

What I think we really, really need though is a widespread, standardized certificate based system (preferably supporting both PKI and web-of-trust), independent of any single vendor. "Something you have" works best as an actual dedicated and secure hardware device, but while individually a service rolling its own system can work (Blizzard's authenticator say) that doesn't scale. Users should only need to keep track of a single key, should be able to purchase said key from multiple competitive vendors, and the system shouldn't depend on any ongoing third party involvement. That would leave every service, big or small, free to use that as a form of authentication and security, and avoid both lock-in and privacy concerns.

The foundations for that do seem to exist already. PKCS & OpenPGP both offer standardized ways to work with smart cards. Hardware is certainly available and has been for years, there are plenty of open source libraries and command line programs available, and all the major OSes have had at least limited support. Certain degrees of support have made it (albeit often buried) into plenty of major applications as well, including much (all?) of Mozilla's suite. Somehow though over all these years it's never quite gelled or reached critical mass, we're still waiting on the tipping point. Getting a system working can be quite difficult, there are still plenty gotchas, there isn't a nice interface on everything, etc.

Quote:

For example, in the case of Wired's Mat Honan, attackers were able to use information available publicly to convince Apple they were Honan so they could "recover" his account and reset his AppleID passwords. Hackers gained access to his Twitter accounts and Gizmodo's Twitter account in the process. Account recovery allows users to use an e-mail address to reset their account information if they have lost or forgotten their password, but it also allowed the hackers to gain access to Honan's Gmail account, as his alternate account was his Apple e-mail address.

I don't see how this follows your premise. What two-factor authentication does Apple use? If they aren't using two-factor to allow authentication somewhere, that that's not the fault of two-factor authentication as a system. Same with Google, if merely having access to an alternative account by itself is enough then that's not two-factor auth, obviously.

However, the industry needs to standardize on the physical token, or implement the ever-elusive single sign-on. Or else, we'd all end up carrying around dozens of tokens just like that crazy old janitor in your junior high was carrying a giant set of keys.

Stories like this make me wish more people use OpenID. If Twitter used OpenID, Twitter would have used my Google Account--which already has two-factor auth--to allow me to sign in. Instantly, Twitter wouldn't have had my password in their database for people to steal, and my Twitter would have already had two-factor auth. As a plus, if Google screws up and allows a massive breach to happen, I can simply disconnect Google, and move to something like Yubikey's service, so I can remain having two-factor authentication everywhere.

I guess Twitter just bet that they can do authentication right. And, they actually kinda did. Trusting third parties with your authentication is a really scary thing. Twitter did everything right--and still got burned.

What I think we really, really need though is a widespread, standardized certificate based system (preferably supporting both PKI and web-of-trust), independent of any single vendor. "Something you have" works best as an actual dedicated and secure hardware device, but while individually a service rolling its own system can work (Blizzard's authenticator say) that doesn't scale. Users should only need to keep track of a single key, should be able to purchase said key from multiple competitive vendors, and the system shouldn't depend on any ongoing third party involvement. That would leave every service, big or small, free to use that as a form of authentication and security, and avoid both lock-in and privacy concerns.

Yeah, what they said... Google should be the keymaster. We all use a Google service, mobile device, or operating system, so heck yeah, just let them validate me. Although, I hear a lot of people are on that Facebook thing, so maybe they could hold some keys as well, right? Oh, and what about Apple, with all of the products they make, a super cool FaceLock feature that lets you sign-on to sites with a secret facial expression.

2 step auth is excellent, and I hope to see more places having it as an option. Unfortunately I think there was mention on here actually about some malware that also would intercept SMS texts. Still, in the vast majority of cases, i'm much more comfortable with 2 step auth on anything and everything.

I'd prefer if they added Yubi-key support instead of GoogleAuth. The last thing I want is to give me one more reason to have a Google Account beyond watching YT videos.

Actually, what I wish they would do is provide multiple methods of Two-factor authentication like LastPass does. I can ignore the GoogleAuth and just use my Yubi-Key. Or people can ignore using a Yubi-key and use GoogleAuth.

Sadly, LastPass is the only web service I've seen that allows you to choose from various methods.

To all the people saying "I don't want Google to control another account": Google's authenticator is not controlled at all by google!

The code is open, and you can use it on anything without interacting with Google at all. It's just a pseudo-OTP system using standard algorithms. The only thing that is "Google" about it is that they promoted a spec and they use it.

The thing that makes it convenient is that Google provided a simple-to-use keying app for the major platforms.

However, the industry needs to standardize on the physical token, or implement the ever-elusive single sign-on. Or else, we'd all end up carrying around dozens of tokens just like that crazy old janitor in your junior high was carrying a giant set of keys.

With a single seed (a la RSA-esque), now you have a single point of failure. Who provides the auth services? That consolidates a lot of power to a single entity.

I don't think the masses are conscience enough to manage their own keys which means someone, somewhere has to do this. That just leads to more problems than it solves I think.

Yes, if they do it right, two factor is much, MUCH more secure. Good luck cracking anyone's google/lastpass/dropbox/whatever account if they've got 2-factor turned on, and you don't have their phone in your hand. (I'm not saying it can't be done, but it's much, much more difficult than just breaking a single traditional password.)

fferitt25 wrote:

Ooooooh - 2 passwords instead of 1. Yeah so much stronger. LMAO.

How about the collective Internet move away from 128-bit encryption already.

However, the industry needs to standardize on the physical token, or implement the ever-elusive single sign-on. Or else, we'd all end up carrying around dozens of tokens just like that crazy old janitor in your junior high was carrying a giant set of keys.

It seems smartphones are becoming proxies for a physical token (like an RSA key). Personally my android phone acts as a keyring for Google, Blizzard and several other systems via SMS messages.

Is that safe? Safer then it was, but not perfect. At least I don't have 20 RSA fobs.

Two factor auth doesn't mean "two passwords". It refers to using two out of three things from the set of: something you know (password), something you have (physical object or something) and something you are (DNA, finger print, retina scan, etc).

Not everyone is going to be able to afford a cell phone. Any service that requires one is not a free service, such as one that can be used from a public library. I find that it props up another type of industry unnecessarily. I don't own a cell phone, and will make attempts not to own one. It opens you up to being tracked without your consent, and location information sold or given to third parties through avenues they consider to be anonymized but which are not (as was evidenced by the Boston traffic story). If you add two-factor auth, you will inevitably cut off a portion of your user base.